Are healthcare data analytics companies business associates?

Healthcare data analytics companies can be considered business associates under HIPAA, but it depends on the nature of their work and their relationship with a covered entity. 

When are healthcare data analytics companies business associates?

A data analytics company is a business associate if they:

• Receive, maintain, or process protected health information (PHI) on behalf of a covered entity.
• Perform analytics on PHI for quality improvement, patient outcomes, cost reduction, or population health management.
• Provide predictive modeling or AI-driven insights using PHI.
• Offer data warehousing, dashboards, or risk assessment tools involving PHI.
• Have a business associate agreement (BAA) with a covered entity, outlining how they will protect PHI.

When are they not business associates?

They are not considered business associates if they:

• Only provide de-identified data analytics (data stripped of PHI per HIPAA standards).
• Offer generalized software that does not process PHI.
• Act as a subcontractor for another business associate without directly handling PHI.

HIPAA compliance

Whether or not the data analyst is a business associate if they work in the healthcare sector, it is best practice to comply with HIPAA regulations. This ensures that sensitive patient information is protected at all times. 

However, in recent news BerryDunn failed to protect the PHI of 1,107,354 individuals. This led to a data breach affecting patient information such as names, addresses, dates of birth, Social Security numbers, health insurance policy numbers, Medicare or Medicaid numbers, state or governmental ID numbers, passport numbers, and medical information. Recently, BerryDunns agreed to a $7.5 million settlement to resolve the claims. 

See also: HIPAA Compliant Email: The Definitive Guide

FAQS

What happens if a healthcare data analytics company violates HIPAA?

HIPAA violations can lead to fines ranging from $141 to $71,162 per violation, with maximum penalties exceeding $2 million per year for non-compliance. Companies may also face lawsuits, reputational damage, and contract termination by covered entities.

Do business associates need to have a HIPAA compliance officer?

While HIPAA does not explicitly require business associates to appoint a compliance officer, it is a best practice to have someone responsible for ensuring HIPAA compliance, conducting risk assessments, and training employees.